FoxyCart_Helper::fc_hash_value() - Code Metrics - Inspection of "Add to Cart Form - initial build" - dynamic/silverstripe-foxy - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Pull Request — master (#20)

by Jason

created 2019-05-14 05:44 UTC

FoxyCart_Helper::fc_hash_value() B

↳ Parent: FoxyCart_Helper

Complexity

Conditions	9
Paths	13

Size

Total Lines	30
Code Lines	18

Duplication

Lines	0
Ratio	0 %

Importance

Changes	2
Bugs	0	Features	0

Metric	Value
cc	9
eloc	18
c	2
b	0
f	0
nc	13
nop	6
dl	0
loc	30
rs	8.0555

<?php

use Dynamic\Foxy\Model\Foxy;

/**
 * FoxyCart_Helper
 *
 * @author FoxyCart.com
 * @copyright FoxyCart.com LLC, 2011
 * @version 2.0.0.20171024
 * @license MIT http://opensource.org/licenses/MIT
 * @example http://wiki.foxycart.com/docs/cart/validation
 *
 * Requirements:
 *   - Form "code" values should not have leading or trailing whitespace.
 *   - Cannot use double-pipes in an input's name
 *   - Empty textareas are assumed to be "open"
 */
class FoxyCart_Helper
{

    /**
     * API Key (Secret)
     *
     * @var string
     **/
    private static $secret;

    public static function setSecret($secret)
    {
        self::$secret = $secret;
    }
    public static function getSecret()
    {
        return self::$secret;
    }

    /**
     * Cart URL
     *
     * @var string
     * Notes: Could be 'https://yourdomain.foxycart.com/cart' or 'https://secure.yourdomain.com/cart'
     **/
    protected static $cart_url;

    public static function setCartUrl($cart_url)
    {
        self::$cart_url = $cart_url;
    }
    public static function getCartUrl()
    {
        return self::$cart_url;
    }

    public function __construct()
    {
        self::setCartURL(Foxy::getStoreDomain());
        self::setSecret(Foxy::getStoreKey());
    }

    /**
     * Cart Excludes
     *
     * Arrays of values and prefixes that should be ignored when signing links and forms.
     * @var array
     */
    protected static $cart_excludes = array(
        // Analytics values
        '_', '_ga', '_ke',
        // Cart values
        'cart', 'fcsid', 'empty', 'coupon', 'output', 'sub_token', 'redirect', 'callback', 'locale', 'template_set',
        // Checkout pre-population values
        'customer_email', 'customer_first_name', 'customer_last_name', 'customer_address1', 'customer_address2',
        'customer_city', 'customer_state', 'customer_postal_code', 'customer_country', 'customer_phone',
        'customer_company',
        'billing_first_name', 'billing_last_name', 'billing_address1', 'billing_address2',
        'billing_city', 'billing_postal_code', 'billing_region', 'billing_phone', 'billing_company',
        'shipping_first_name', 'shipping_last_name', 'shipping_address1', 'shipping_address2',
        'shipping_city', 'shipping_state', 'shipping_country', 'shipping_postal_code', 'shipping_region',
        'shipping_phone', 'shipping_company',
    );
    protected static $cart_excludes_prefixes = array(
        'h:', 'x:', '__', 'utm_'
    );

    /**
     * Debugging
     *
     * Set to $debug to TRUE to enable debug logging.
     *
     */
    protected static $debug = false;
    protected static $log = array();


    /**
     * "Link Method": Generate HMAC SHA256 for GET Query Strings
     *
     * Notes: Can't parse_str because PHP doesn't support non-alphanumeric characters as array keys.
     * @return string
     **/
    public static function fc_hash_querystring($qs, $output = true)
    {
        self::$log[] = '<strong>Signing link</strong> with data: '.htmlspecialchars(substr($qs, 0, 1500)).
            '...';
        $fail = self::$cart_url.'?'.$qs;

        // If the link appears to be hashed already, don't bother
        if (strpos($qs, '||')) {
            self::$log[] = '<strong>Link appears to be signed already</strong>: '.htmlspecialchars($code[0]);

            return $fail;
        }

        // Stick an ampersand on the beginning of the querystring to make matching the first element a little easier
        $qs = '&'.$qs;

        // Get all the prefixes, codes, and name=value pairs
        preg_match_all(
            '%(?P<amp>&(?:amp;)?)(?P<prefix>[a-z0-9]{1,3}:)?(?P<name>[^=]+)=(?P<value>[^&]+)%',
            $qs,
            $pairs,
            PREG_SET_ORDER
        );
        self::$log[] = 'Found the following pairs to sign:<pre>'.htmlspecialchars(print_r($pairs, true)).'</pre>';

        // Get all the "code" values, set the matches in $codes
        $codes = array();
        foreach ($pairs as $pair) {
            if ($pair['name'] == 'code') {
                $codes[$pair['prefix']] = $pair['value'];
            }
        }
        foreach ($pairs as $pair) {
            if ($pair['name'] == 'parent_code') {
                $codes[$pair['prefix']] .= $pair['value'];
            }
        }
        if (! count($codes)) {
            self::$log[] = '<strong style="color:#600;">No code found</strong> for the above link.';
            return $fail;
        }
        self::$log[] = '<strong style="color:orange;">CODES found:</strong> '.
            htmlspecialchars(print_r($codes, true));

        // Sign the name/value pairs
        foreach ($pairs as $pair) {
            // Skip the cart excludes
            $include_pair = true;
            if (in_array($pair['name'], self::$cart_excludes)) {
                $include_pair = false;
            }
            foreach (self::$cart_excludes_prefixes as $exclude_prefix) {
                if (substr(
                    strtolower($pair['prefix'].$pair['name']),
                    0,
                    strlen($exclude_prefix)
                ) == $exclude_prefix
                ) {
                    $include_pair = false;
                }
            }
            if (!$include_pair) {
                self::$log[] = '<strong style="color:purple;">Skipping</strong> the reserved parameter or prefix "'.
                    $pair['prefix'].$pair['name'].'" = '.$pair['value'];
                continue;
            }
            // Continue to sign the value and replace the name=value in the querystring with name=value||hash
            $value = self::fc_hash_value(
                $codes[$pair['prefix']],
                urldecode($pair['name']),
                urldecode($pair['value']),
                'value',
                false,
                'urlencode'
            );
            if (urldecode($pair['value']) == '--OPEN--') {
                $replacement = $pair['amp'].$value.'=';
            } else {
                $replacement = $pair['amp'].$pair['prefix'].urlencode($pair['name']).'='.$value;
            }
            $qs = str_replace($pair[0], $replacement, $qs);
            self::$log[] = 'Signed <strong>'.$pair['name'].'</strong> = <strong>'.$pair['value'].'</strong> with '.
                $replacement.'.<br />Replacing: '.$pair[0].'<br />With... '.$replacement;
        }
        $qs = ltrim($qs, '&'); // Get rid of that leading ampersand we added earlier

        if ($output) {
            echo self::$cart_url.'?'.$qs;
        } else {
            return self::$cart_url.'?'.$qs;
        }
    }


    /**
     * "Form Method": Generate HMAC SHA256 for form elements or individual <input />s
     *
     * @return string
     **/
    public static function fc_hash_value(
        $product_code,
        $option_name,
        $option_value = '',
        $method = 'name',
        $output = true,
        $urlencode = false
    ) {
        if (!$product_code || !$option_name) {
            return false;

        }
        $option_name = str_replace(' ', '_', $option_name);
        if ($option_value == '--OPEN--') {
            $hash = hash_hmac('sha256', $product_code.$option_name.$option_value, self::$secret);
            $value = ($urlencode) ? urlencode($option_name).'||'.$hash.'||open' : $option_name.'||'.$hash.'||open';
        } else {
            $hash = hash_hmac('sha256', $product_code.$option_name.$option_value, self::$secret);
            self::$log[] = '<strong>Challenge: </strong><span style="font-family:monospace; color:blue"><code>'.
                $product_code.$option_name.$option_value.'</code></span>';
            if ($method == 'name') {
                $value = ($urlencode) ? urlencode($option_name).'||'.$hash : $option_name.'||'.$hash;
            } else {
                $value = ($urlencode) ? urlencode($option_value).'||'.$hash : $option_value.'||'.$hash;
            }
        }

        if ($output) {
            echo $value;
        } else {
            return $value;
        }
    }

    /**
     * Raw HTML Signing: Sign all links and form elements in a block of HTML
     *
     * Accepts a string of HTML and signs all links and forms.
     * Requires link 'href' and form 'action' attributes to use 'https' and not 'http'.
     * Requires a 'code' to be set in every form.
     *
     * @return string
     **/
    public static function fc_hash_html($html)
    {
        // Initialize some counting
        $count['temp'] = 0; // temp counter

        $count['links'] = 0;
        $count['forms'] = 0;
        $count['inputs'] = 0;
        $count['lists'] = 0;
        $count['textareas'] = 0;

        // Find and sign all the links
        preg_match_all(
            '%<a .*?href=([\'"])'.preg_quote(self::$cart_url).'(?:\.php)?\?(.+?)\1.*?>%i',
            $html,
            $querystrings
        );
        self::$log[] = '<strong>Querystrings: </strong><pre>' . htmlspecialchars(print_r($querystrings, true)) .
            '</pre>';
        // print_r($querystrings);
        foreach ($querystrings[2] as $querystring) {
            // If it's already signed, skip it.
            if (strpos($querystring, '||')) {
                continue;
            }
            $pattern = '%(href=([\'"]))'.preg_quote(self::$cart_url, '%').'(?:\.php)?\?'.
                preg_quote($querystring, '%').'\2%i';
            $signed = self::fc_hash_querystring($querystring, false);
            $html = preg_replace($pattern, '$1'.$signed.'$2', $html, -1, $count['temp']);
            $count['links'] += $count['temp'];
        }
        unset($querystrings);

        // Find and sign all form values
        preg_match_all(
            '%<form [^>]*?action=[\'"]'.preg_quote(self::$cart_url).'(?:\.php)?[\'"].*?>(.+?)</form>%is',
            $html,
            $forms
        );
        foreach ($forms[1] as $form) {
            $count['forms']++;
            self::$log[] = '<strong>Signing form</strong> with data: '.
                htmlspecialchars(substr($form, 0, 150)).'...';

            // Store the original form so we can replace it when we're done
            $form_original = $form;

            // Check for the "code" input, set the matches in $codes
            if (!preg_match_all(
                '%<[^>]*?name=([\'"])([0-9]{1,3}:)?code\1[^>]*?>%i',
                $form,
                $codes,
                PREG_SET_ORDER
            )) {
                self::$log[] = '<strong style="color:#600;">No code found</strong> for the above form.';
                continue;
            }
            // For each code found, sign the appropriate inputs
            foreach ($codes as $code) {
                // If the form appears to be hashed already, don't bother
                if (strpos($code[0], '||')) {
                    self::$log[] = '<strong>Form appears to be signed already</strong>: '.htmlspecialchars($code[0]);
                    continue;
                }
                // Get the code and the prefix
                $prefix = (isset($code[2])) ? $code[2] : '';
                preg_match('%<[^>]*?value=([\'"])(.+?)\1[^>]*?>%i', $code[0], $code);
                $code = trim($code[2]);
                self::$log[] = '<strong>Prefix for '.htmlspecialchars($code).'</strong>: '.htmlspecialchars($prefix);
                if (!$code) { // If the code is empty, skip this form or specific prefixed elements
                    continue;
                }

                // Sign all <input /> elements with matching prefix
                preg_match_all(
                    '%<input [^>]*?name=([\'"])'.preg_quote($prefix).'(?![0-9]{1,3})(?:.+?)\1[^>]*>%i',
                    $form,
                    $inputs
                );

                // get parent codes if they exist and append them to our code
                $parent_code_index = false;
                foreach ($inputs[0] as $key => $item) {
                    if (strpos($item, 'parent_code') !== false) {
                        $parent_code_index = $key;
                    }
                }
                if ($parent_code_index !== false) {
                    if (preg_match('%value=([\'"])(.*?)\1%i', $inputs[0][$parent_code_index], $value)) {
                        $code .= $value[2];
                    }
                }

                foreach ($inputs[0] as $input) {
                    $count['inputs']++;
                    // Test to make sure both name and value attributes are found
                    if (preg_match(
                        '%name=([\'"])'.preg_quote($prefix).'(?![0-9]{1,3})(.+?)\1%i',
                        $input,
                        $name
                    ) > 0) {
                        preg_match('%value=([\'"])(.*?)\1%i', $input, $value);
                        $value = (count($value) > 0) ? $value : array('', '', '');
                        preg_match('%type=([\'"])(.*?)\1%i', $input, $type);
                        $type = (count($type) > 0) ? $type : array('', '', '');
                        // Skip the cart excludes
                        $include_input = true;
                        if (in_array($prefix.$name[2], self::$cart_excludes)) {
                            $include_input = false;
                        }
                        foreach (self::$cart_excludes_prefixes as $exclude_prefix) {
                            if (substr(strtolower($prefix.$name[2]), 0, strlen($exclude_prefix)) == $exclude_prefix) {
                                $include_input = false;
                            }
                        }
                        if (!$include_input) {
                            self::$log[] = '<strong style="color:purple;">Skipping</strong> the reserved parameter or 
                                prefix "'.$prefix.$name[2].'" = '.$value[2];
                            continue;
                        }
                        self::$log[] = '<strong>INPUT['.$type[2].']:</strong> Name: <strong>'.$prefix.
                            htmlspecialchars(preg_quote($name[2])).'</strong>';
                        $value[2] = ($value[2] == '') ? '--OPEN--' : $value[2];
                        if ($type[2] == 'radio') {
                            self::$log[] = '<strong>Replacement Pattern:</strong> ([\'"])'.
                                $prefix.preg_quote($value[2]).'\1';
                            $input_signed = preg_replace(
                                '%([\'"])'.preg_quote($value[2]).'\1%',
                                '${1}'.self::fc_hash_value($code, $name[2], $value[2], 'value', false).
                                "$1",
                                $input
                            );
                        } else {
                            self::$log[] = '<strong>Replacement Pattern:</strong> name=([\'"])'.
                                $prefix.preg_quote($name[2]).'\1';
                            $input_signed = preg_replace(
                                '%name=([\'"])'.$prefix.preg_quote($name[2]).'\1%',
                                'name=${1}'.$prefix.self::fc_hash_value(
                                    $code,
                                    $name[2],
                                    $value[2],
                                    'name',
                                    false
                                )."$1",
                                $input
                            );
                        }
                        self::$log[] = '<strong>INPUT:</strong> Code: <strong>'.htmlspecialchars($prefix.$code).
                            '</strong> :: Name: <strong>'.htmlspecialchars($prefix.$name[2]).
                            '</strong> :: Value: <strong>'.htmlspecialchars($value[2]).
                            '</strong><br />Initial input: '.htmlspecialchars($input).
                            '<br />Signed: <span style="color:#060;">'.htmlspecialchars($input_signed).'</span>';
                        $form = str_replace($input, $input_signed, $form);
                    }
                }
                self::$log[] = '<strong>FORM after INPUTS:</strong> <pre>'.htmlspecialchars($form).'</pre>';

                // Sign all <option /> elements
                preg_match_all(
                    '%<select [^>]*name=([\'"])'.preg_quote($prefix).'(?![0-9]{1,3})(.+?)\1[^>]*>(.+?)</select>%is',
                    $form,
                    $lists,
                    PREG_SET_ORDER
                );
                foreach ($lists as $list) {
                    $count['lists']++;
                    // Skip the cart excludes
                    $include_input = true;
                    if (in_array($prefix.$list[2], self::$cart_excludes)) {
                        $include_input = false;
                    }
                    foreach (self::$cart_excludes_prefixes as $exclude_prefix) {
                        if (substr(strtolower($prefix.$list[2]), 0, strlen($exclude_prefix)) == $exclude_prefix) {
                            $include_input = false;
                        }
                    }
                    if (!$include_input) {
                        self::$log[] = '<strong style="color:purple;">Skipping</strong> the reserved parameter or 
                            prefix "'.$prefix.$list[2];
                        continue;
                    }
                    preg_match_all(
                        '%<option [^>]*value=([\'"])(.+?)\1[^>]*>(?:.*?)</option>%i',
                        $list[0],
                        $options,
                        PREG_SET_ORDER
                    );
                    self::$log[] = '<strong>Options:</strong> <pre>'.htmlspecialchars(print_r($options, true)).'</pre>';
                    unset($form_part_signed);
                    foreach ($options as $option) {
                        if (!isset($form_part_signed)) {
                            $form_part_signed = $list[0];
                        }
                        $option_signed = preg_replace(
                            '%'.preg_quote($option[1]).preg_quote($option[2]).preg_quote($option[1]).'%',
                            $option[1].self::fc_hash_value($code, $list[2], $option[2], 'value', false).
                                $option[1],
                            $option[0]
                        );
                        $form_part_signed = str_replace($option[0], $option_signed, $form_part_signed);
                        self::$log[] = '<strong>OPTION:</strong> Code: <strong>'.htmlspecialchars($prefix.$code).
                            '</strong> :: Name: <strong>'.htmlspecialchars($prefix.$list[2]).
                            '</strong> :: Value: <strong>'.htmlspecialchars($option[2]).
                            '</strong><br />Initial option: '.htmlspecialchars($option[0]).
                            '<br />Signed: <span style="color:#060;">'.htmlspecialchars($option_signed).'</span>';
                    }
                    $form = str_replace($list[0], $form_part_signed, $form);

                }
                self::$log[] = '<strong>FORM after OPTIONS:</strong> <pre>'.htmlspecialchars($form).'</pre>';

                // Sign all <textarea /> elements
                preg_match_all('%<textarea [^>]*name=([\'"])'.preg_quote($prefix).
                    '(?![0-9]{1,3})(.+?)\1[^>]*>(.*?)</textarea>%is', $form, $textareas, PREG_SET_ORDER);
                // echo "\n\nTextareas: ".print_r($textareas, true);
                foreach ($textareas as $textarea) {
                    $count['textareas']++;
                    // Skip the cart excludes
                    $include_input = true;
                    if (in_array($prefix.$textarea[2], self::$cart_excludes)) {
                        $include_input = false;
                    }
                    foreach (self::$cart_excludes_prefixes as $exclude_prefix) {
                        if (substr(strtolower($prefix.$textarea[2]), 0, strlen($exclude_prefix)) == $exclude_prefix) {
                            $include_input = false;
                        }
                    }
                    if (!$include_input) {
                        self::$log[] = '<strong style="color:purple;">Skipping</strong> the reserved parameter or 
                            prefix "'. $prefix.$textarea[2];
                        continue;
                    }
                    // Tackle implied "--OPEN--" first, if textarea is empty
                    $textarea[3] = ($textarea[3] == '') ? '--OPEN--' : $textarea[3];
                    $textarea_signed = preg_replace(
                        '%name=([\'"])'.preg_quote($prefix.$textarea[2]).'\1%',
                        "name=$1".self::fc_hash_value($code, $textarea[2], $textarea[3], 'name', false)."$1",
                        $textarea[0]
                    );
                    $form = str_replace($textarea[0], $textarea_signed, $form);
                    self::$log[] = '<strong>TEXTAREA:</strong> Code: <strong>'.htmlspecialchars($prefix.$code).
                        '</strong> :: Name: <strong>'.htmlspecialchars($prefix.$textarea[2]).
                        '</strong> :: Value: <strong>'.htmlspecialchars($textarea[3]).
                        '</strong><br />Initial textarea: '.htmlspecialchars($textarea[0]).
                        '<br />Signed: <span style="color:#060;">'.htmlspecialchars($textarea_signed).'</span>';
                }
                self::$log[] = '<strong>FORM after TEXTAREAS:</strong> <pre>'.htmlspecialchars($form).'</pre>';

                // Exclude all <button> elements
                $form = preg_replace(
                    '%<button ([^>]*)name=([\'"])(.*?)\1([^>]*>.*?</button>)%i',
                    "<button $1name=$2x:$3$4",
                    $form
                );
            }
            // Replace the entire form
            self::$log[] = '<strong>FORM after ALL:</strong> <pre>'.htmlspecialchars($form).'</pre>'.'replacing <pre>'.
                htmlspecialchars($form_original).'</pre>';
            $html = str_replace($form_original, $form, $html);
            self::$log[] = '<strong>FORM end</strong><hr />';
        }

        // Return the signed output
        $output = '';
        if (self::$debug) {
            self::$log['Summary'] = $count['links'].' links signed. '.$count['forms'].' forms signed. '.
                $count['inputs'].' inputs signed. '.$count['lists'].' lists signed. '.$count['textareas'].
                ' textareas signed.';
            $output .= '<div style="background:#fff;"><h3>FoxyCart HMAC Debugging:</h3><ul>';
            foreach (self::$log as $name => $value) {
                $output .= '<li><strong>'.$name.':</strong> '.$value.'</li>'."\n";
            }
            $output .= '</ul><hr />';
        }
        return $output.$html;
    }
}


1			<?php
2
3			use Dynamic\Foxy\Model\Foxy;
4
5			/**
6			* FoxyCart_Helper
7			*
8			* @author FoxyCart.com
9			* @copyright FoxyCart.com LLC, 2011
10			* @version 2.0.0.20171024
11			* @license MIT http://opensource.org/licenses/MIT
12			* @example http://wiki.foxycart.com/docs/cart/validation
13			*
14			* Requirements:
15			* - Form "code" values should not have leading or trailing whitespace.
16			* - Cannot use double-pipes in an input's name
17			* - Empty textareas are assumed to be "open"
18			*/
19			class FoxyCart_Helper
20			{
21
22			/**
23			* API Key (Secret)
24			*
25			* @var string
26			**/
27			private static $secret;
28
29			public static function setSecret($secret)
30			{
31			self::$secret = $secret;
32			}
33			public static function getSecret()
34			{
35			return self::$secret;
36			}
37
38			/**
39			* Cart URL
40			*
41			* @var string
42			* Notes: Could be 'https://yourdomain.foxycart.com/cart' or 'https://secure.yourdomain.com/cart'
43			**/
44			protected static $cart_url;
45
46			public static function setCartUrl($cart_url)
47			{
48			self::$cart_url = $cart_url;
49			}
50			public static function getCartUrl()
51			{
52			return self::$cart_url;
53			}
54
55			public function __construct()
56			{
57			self::setCartURL(Foxy::getStoreDomain());
58			self::setSecret(Foxy::getStoreKey());
59			}
60
61			/**
62			* Cart Excludes
63			*
64			* Arrays of values and prefixes that should be ignored when signing links and forms.
65			* @var array
66			*/
67			protected static $cart_excludes = array(
68			// Analytics values
69			'_', '_ga', '_ke',
70			// Cart values
71			'cart', 'fcsid', 'empty', 'coupon', 'output', 'sub_token', 'redirect', 'callback', 'locale', 'template_set',
72			// Checkout pre-population values
73			'customer_email', 'customer_first_name', 'customer_last_name', 'customer_address1', 'customer_address2',
74			'customer_city', 'customer_state', 'customer_postal_code', 'customer_country', 'customer_phone',
75			'customer_company',
76			'billing_first_name', 'billing_last_name', 'billing_address1', 'billing_address2',
77			'billing_city', 'billing_postal_code', 'billing_region', 'billing_phone', 'billing_company',
78			'shipping_first_name', 'shipping_last_name', 'shipping_address1', 'shipping_address2',
79			'shipping_city', 'shipping_state', 'shipping_country', 'shipping_postal_code', 'shipping_region',
80			'shipping_phone', 'shipping_company',
81			);
82			protected static $cart_excludes_prefixes = array(
83			'h:', 'x:', '__', 'utm_'
84			);
85
86			/**
87			* Debugging
88			*
89			* Set to $debug to TRUE to enable debug logging.
90			*
91			*/
92			protected static $debug = false;
93			protected static $log = array();
94
95
96			/**
97			* "Link Method": Generate HMAC SHA256 for GET Query Strings
98			*
99			* Notes: Can't parse_str because PHP doesn't support non-alphanumeric characters as array keys.
100			* @return string
101			**/
102			public static function fc_hash_querystring($qs, $output = true)
103			{
104			self::$log[] = '<strong>Signing link</strong> with data: '.htmlspecialchars(substr($qs, 0, 1500)).
105			'...';
106			$fail = self::$cart_url.'?'.$qs;
107
108			// If the link appears to be hashed already, don't bother
109			if (strpos($qs, '\|\|')) {
110			self::$log[] = '<strong>Link appears to be signed already</strong>: '.htmlspecialchars($code[0]);
			0 ignored issues – show Comprehensibility Best Practice introduced 2019-05-14 05:23 UTC by Report Bug Copy Issue Report The variable `$code` does not exist. Did you maybe mean `$codes`? Loading history...
111			return $fail;
112			}
113
114			// Stick an ampersand on the beginning of the querystring to make matching the first element a little easier
115			$qs = '&'.$qs;
116
117			// Get all the prefixes, codes, and name=value pairs
118			preg_match_all(
119			'%(?P<amp>&(?:amp;)?)(?P<prefix>[a-z0-9]{1,3}:)?(?P<name>[^=]+)=(?P<value>[^&]+)%',
120			$qs,
121			$pairs,
122			PREG_SET_ORDER
123			);
124			self::$log[] = 'Found the following pairs to sign:<pre>'.htmlspecialchars(print_r($pairs, true)).'</pre>';
125
126			// Get all the "code" values, set the matches in $codes
127			$codes = array();
128			foreach ($pairs as $pair) {
129			if ($pair['name'] == 'code') {
130			$codes[$pair['prefix']] = $pair['value'];
131			}
132			}
133			foreach ($pairs as $pair) {
134			if ($pair['name'] == 'parent_code') {
135			$codes[$pair['prefix']] .= $pair['value'];
136			}
137			}
138			if (! count($codes)) {
139			self::$log[] = '<strong style="color:#600;">No code found</strong> for the above link.';
140			return $fail;
141			}
142			self::$log[] = '<strong style="color:orange;">CODES found:</strong> '.
143			htmlspecialchars(print_r($codes, true));
144
145			// Sign the name/value pairs
146			foreach ($pairs as $pair) {
147			// Skip the cart excludes
148			$include_pair = true;
149			if (in_array($pair['name'], self::$cart_excludes)) {
150			$include_pair = false;
151			}
152			foreach (self::$cart_excludes_prefixes as $exclude_prefix) {
153			if (substr(
154			strtolower($pair['prefix'].$pair['name']),
155			0,
156			strlen($exclude_prefix)
157			) == $exclude_prefix
158			) {
159			$include_pair = false;
160			}
161			}
162			if (!$include_pair) {
163			self::$log[] = '<strong style="color:purple;">Skipping</strong> the reserved parameter or prefix "'.
164			$pair['prefix'].$pair['name'].'" = '.$pair['value'];
165			continue;
166			}
167			// Continue to sign the value and replace the name=value in the querystring with name=value\|\|hash
168			$value = self::fc_hash_value(
169			$codes[$pair['prefix']],
170			urldecode($pair['name']),
171			urldecode($pair['value']),
172			'value',
173			false,
174			'urlencode'
175			);
176			if (urldecode($pair['value']) == '--OPEN--') {
177			$replacement = $pair['amp'].$value.'=';
178			} else {
179			$replacement = $pair['amp'].$pair['prefix'].urlencode($pair['name']).'='.$value;
180			}
181			$qs = str_replace($pair[0], $replacement, $qs);
182			self::$log[] = 'Signed <strong>'.$pair['name'].'</strong> = <strong>'.$pair['value'].'</strong> with '.
183			$replacement.'.<br />Replacing: '.$pair[0].'<br />With... '.$replacement;
184			}
185			$qs = ltrim($qs, '&'); // Get rid of that leading ampersand we added earlier
186
187			if ($output) {
188			echo self::$cart_url.'?'.$qs;
189			} else {
190			return self::$cart_url.'?'.$qs;
191			}
192			}
193
194
195			/**
196			* "Form Method": Generate HMAC SHA256 for form elements or individual <input />s
197			*
198			* @return string
199			**/
200			public static function fc_hash_value(
201			$product_code,
202			$option_name,
203			$option_value = '',
204			$method = 'name',
205			$output = true,
206			$urlencode = false
207			) {
208			if (!$product_code \|\| !$option_name) {
209			return false;
			0 ignored issues – show Bug Best Practice introduced 2019-05-14 05:45 UTC by Report Bug Copy Issue Report The expression `return false` returns the type `false` which is incompatible with the documented return type `string`. Loading history...
210			}
211			$option_name = str_replace(' ', '_', $option_name);
212			if ($option_value == '--OPEN--') {
213			$hash = hash_hmac('sha256', $product_code.$option_name.$option_value, self::$secret);
214			$value = ($urlencode) ? urlencode($option_name).'\|\|'.$hash.'\|\|open' : $option_name.'\|\|'.$hash.'\|\|open';
215			} else {
216			$hash = hash_hmac('sha256', $product_code.$option_name.$option_value, self::$secret);
217			self::$log[] = '<strong>Challenge: </strong><span style="font-family:monospace; color:blue"><code>'.
218			$product_code.$option_name.$option_value.'</code></span>';
219			if ($method == 'name') {
220			$value = ($urlencode) ? urlencode($option_name).'\|\|'.$hash : $option_name.'\|\|'.$hash;
221			} else {
222			$value = ($urlencode) ? urlencode($option_value).'\|\|'.$hash : $option_value.'\|\|'.$hash;
223			}
224			}
225
226			if ($output) {
227			echo $value;
228			} else {
229			return $value;
230			}
231			}
232
233			/**
234			* Raw HTML Signing: Sign all links and form elements in a block of HTML
235			*
236			* Accepts a string of HTML and signs all links and forms.
237			* Requires link 'href' and form 'action' attributes to use 'https' and not 'http'.
238			* Requires a 'code' to be set in every form.
239			*
240			* @return string
241			**/
242			public static function fc_hash_html($html)
243			{
244			// Initialize some counting
245			$count['temp'] = 0; // temp counter
			0 ignored issues – show Comprehensibility Best Practice introduced 2019-05-14 05:23 UTC by Report Bug Copy Issue Report `$count` was never initialized. Although not strictly required by PHP, it is generally a good practice to add `$count = array();` before regardless. Loading history...
246			$count['links'] = 0;
247			$count['forms'] = 0;
248			$count['inputs'] = 0;
249			$count['lists'] = 0;
250			$count['textareas'] = 0;
251
252			// Find and sign all the links
253			preg_match_all(
254			'%<a .?href=([\'"])'.preg_quote(self::$cart_url).'(?:\.php)?\?(.+?)\1.?>%i',
255			$html,
256			$querystrings
257			);
258			self::$log[] = '<strong>Querystrings: </strong><pre>' . htmlspecialchars(print_r($querystrings, true)) .
259			'</pre>';
260			// print_r($querystrings);
261			foreach ($querystrings[2] as $querystring) {
262			// If it's already signed, skip it.
263			if (strpos($querystring, '\|\|')) {
264			continue;
265			}
266			$pattern = '%(href=([\'"]))'.preg_quote(self::$cart_url, '%').'(?:\.php)?\?'.
267			preg_quote($querystring, '%').'\2%i';
268			$signed = self::fc_hash_querystring($querystring, false);
269			$html = preg_replace($pattern, '$1'.$signed.'$2', $html, -1, $count['temp']);
270			$count['links'] += $count['temp'];
271			}
272			unset($querystrings);
273
274			// Find and sign all form values
275			preg_match_all(
276			'%<form [^>]?action=[\'"]'.preg_quote(self::$cart_url).'(?:\.php)?[\'"].?>(.+?)</form>%is',
277			$html,
278			$forms
279			);
280			foreach ($forms[1] as $form) {
281			$count['forms']++;
282			self::$log[] = '<strong>Signing form</strong> with data: '.
283			htmlspecialchars(substr($form, 0, 150)).'...';
284
285			// Store the original form so we can replace it when we're done
286			$form_original = $form;
287
288			// Check for the "code" input, set the matches in $codes
289			if (!preg_match_all(
290			'%<[^>]?name=([\'"])([0-9]{1,3}:)?code\1[^>]?>%i',
291			$form,
292			$codes,
293			PREG_SET_ORDER
294			)) {
295			self::$log[] = '<strong style="color:#600;">No code found</strong> for the above form.';
296			continue;
297			}
298			// For each code found, sign the appropriate inputs
299			foreach ($codes as $code) {
300			// If the form appears to be hashed already, don't bother
301			if (strpos($code[0], '\|\|')) {
302			self::$log[] = '<strong>Form appears to be signed already</strong>: '.htmlspecialchars($code[0]);
303			continue;
304			}
305			// Get the code and the prefix
306			$prefix = (isset($code[2])) ? $code[2] : '';
307			preg_match('%<[^>]?value=([\'"])(.+?)\1[^>]?>%i', $code[0], $code);
308			$code = trim($code[2]);
309			self::$log[] = '<strong>Prefix for '.htmlspecialchars($code).'</strong>: '.htmlspecialchars($prefix);
310			if (!$code) { // If the code is empty, skip this form or specific prefixed elements
311			continue;
312			}
313
314			// Sign all <input /> elements with matching prefix
315			preg_match_all(
316			'%<input [^>]?name=([\'"])'.preg_quote($prefix).'(?![0-9]{1,3})(?:.+?)\1[^>]>%i',
317			$form,
318			$inputs
319			);
320
321			// get parent codes if they exist and append them to our code
322			$parent_code_index = false;
323			foreach ($inputs[0] as $key => $item) {
324			if (strpos($item, 'parent_code') !== false) {
325			$parent_code_index = $key;
326			}
327			}
328			if ($parent_code_index !== false) {
329			if (preg_match('%value=([\'"])(.*?)\1%i', $inputs[0][$parent_code_index], $value)) {
330			$code .= $value[2];
331			}
332			}
333
334			foreach ($inputs[0] as $input) {
335			$count['inputs']++;
336			// Test to make sure both name and value attributes are found
337			if (preg_match(
338			'%name=([\'"])'.preg_quote($prefix).'(?![0-9]{1,3})(.+?)\1%i',
339			$input,
340			$name
341			) > 0) {
342			preg_match('%value=([\'"])(.*?)\1%i', $input, $value);
343			$value = (count($value) > 0) ? $value : array('', '', '');
344			preg_match('%type=([\'"])(.*?)\1%i', $input, $type);
345			$type = (count($type) > 0) ? $type : array('', '', '');
346			// Skip the cart excludes
347			$include_input = true;
348			if (in_array($prefix.$name[2], self::$cart_excludes)) {
349			$include_input = false;
350			}
351			foreach (self::$cart_excludes_prefixes as $exclude_prefix) {
352			if (substr(strtolower($prefix.$name[2]), 0, strlen($exclude_prefix)) == $exclude_prefix) {
353			$include_input = false;
354			}
355			}
356			if (!$include_input) {
357			self::$log[] = '<strong style="color:purple;">Skipping</strong> the reserved parameter or
358			prefix "'.$prefix.$name[2].'" = '.$value[2];
359			continue;
360			}
361			self::$log[] = '<strong>INPUT['.$type[2].']:</strong> Name: <strong>'.$prefix.
362			htmlspecialchars(preg_quote($name[2])).'</strong>';
363			$value[2] = ($value[2] == '') ? '--OPEN--' : $value[2];
364			if ($type[2] == 'radio') {
365			self::$log[] = '<strong>Replacement Pattern:</strong> ([\'"])'.
366			$prefix.preg_quote($value[2]).'\1';
367			$input_signed = preg_replace(
368			'%([\'"])'.preg_quote($value[2]).'\1%',
369			'${1}'.self::fc_hash_value($code, $name[2], $value[2], 'value', false).
370			"$1",
371			$input
372			);
373			} else {
374			self::$log[] = '<strong>Replacement Pattern:</strong> name=([\'"])'.
375			$prefix.preg_quote($name[2]).'\1';
376			$input_signed = preg_replace(
377			'%name=([\'"])'.$prefix.preg_quote($name[2]).'\1%',
378			'name=${1}'.$prefix.self::fc_hash_value(
379			$code,
380			$name[2],
381			$value[2],
382			'name',
383			false
384			)."$1",
385			$input
386			);
387			}
388			self::$log[] = '<strong>INPUT:</strong> Code: <strong>'.htmlspecialchars($prefix.$code).
389			'</strong> :: Name: <strong>'.htmlspecialchars($prefix.$name[2]).
390			'</strong> :: Value: <strong>'.htmlspecialchars($value[2]).
391			'</strong><br />Initial input: '.htmlspecialchars($input).
392			'<br />Signed: <span style="color:#060;">'.htmlspecialchars($input_signed).'</span>';
393			$form = str_replace($input, $input_signed, $form);
394			}
395			}
396			self::$log[] = '<strong>FORM after INPUTS:</strong> <pre>'.htmlspecialchars($form).'</pre>';
397
398			// Sign all <option /> elements
399			preg_match_all(
400			'%<select [^>]name=([\'"])'.preg_quote($prefix).'(?![0-9]{1,3})(.+?)\1[^>]>(.+?)</select>%is',
401			$form,
402			$lists,
403			PREG_SET_ORDER
404			);
405			foreach ($lists as $list) {
406			$count['lists']++;
407			// Skip the cart excludes
408			$include_input = true;
409			if (in_array($prefix.$list[2], self::$cart_excludes)) {
410			$include_input = false;
411			}
412			foreach (self::$cart_excludes_prefixes as $exclude_prefix) {
413			if (substr(strtolower($prefix.$list[2]), 0, strlen($exclude_prefix)) == $exclude_prefix) {
414			$include_input = false;
415			}
416			}
417			if (!$include_input) {
418			self::$log[] = '<strong style="color:purple;">Skipping</strong> the reserved parameter or
419			prefix "'.$prefix.$list[2];
420			continue;
421			}
422			preg_match_all(
423			'%<option [^>]value=([\'"])(.+?)\1[^>]>(?:.*?)</option>%i',
424			$list[0],
425			$options,
426			PREG_SET_ORDER
427			);
428			self::$log[] = '<strong>Options:</strong> <pre>'.htmlspecialchars(print_r($options, true)).'</pre>';
429			unset($form_part_signed);
430			foreach ($options as $option) {
431			if (!isset($form_part_signed)) {
432			$form_part_signed = $list[0];
433			}
434			$option_signed = preg_replace(
435			'%'.preg_quote($option[1]).preg_quote($option[2]).preg_quote($option[1]).'%',
436			$option[1].self::fc_hash_value($code, $list[2], $option[2], 'value', false).
437			$option[1],
438			$option[0]
439			);
440			$form_part_signed = str_replace($option[0], $option_signed, $form_part_signed);
441			self::$log[] = '<strong>OPTION:</strong> Code: <strong>'.htmlspecialchars($prefix.$code).
442			'</strong> :: Name: <strong>'.htmlspecialchars($prefix.$list[2]).
443			'</strong> :: Value: <strong>'.htmlspecialchars($option[2]).
444			'</strong><br />Initial option: '.htmlspecialchars($option[0]).
445			'<br />Signed: <span style="color:#060;">'.htmlspecialchars($option_signed).'</span>';
446			}
447			$form = str_replace($list[0], $form_part_signed, $form);
			0 ignored issues – show Comprehensibility Best Practice introduced 2019-05-14 05:23 UTC by Report Bug Copy Issue Report The variable `$form_part_signed` does not seem to be defined for all execution paths leading up to this point. Loading history...
448			}
449			self::$log[] = '<strong>FORM after OPTIONS:</strong> <pre>'.htmlspecialchars($form).'</pre>';
450
451			// Sign all <textarea /> elements
452			preg_match_all('%<textarea [^>]*name=([\'"])'.preg_quote($prefix).
453			'(?![0-9]{1,3})(.+?)\1[^>]>(.?)</textarea>%is', $form, $textareas, PREG_SET_ORDER);
454			// echo "\n\nTextareas: ".print_r($textareas, true);
455			foreach ($textareas as $textarea) {
456			$count['textareas']++;
457			// Skip the cart excludes
458			$include_input = true;
459			if (in_array($prefix.$textarea[2], self::$cart_excludes)) {
460			$include_input = false;
461			}
462			foreach (self::$cart_excludes_prefixes as $exclude_prefix) {
463			if (substr(strtolower($prefix.$textarea[2]), 0, strlen($exclude_prefix)) == $exclude_prefix) {
464			$include_input = false;
465			}
466			}
467			if (!$include_input) {
468			self::$log[] = '<strong style="color:purple;">Skipping</strong> the reserved parameter or
469			prefix "'. $prefix.$textarea[2];
470			continue;
471			}
472			// Tackle implied "--OPEN--" first, if textarea is empty
473			$textarea[3] = ($textarea[3] == '') ? '--OPEN--' : $textarea[3];
474			$textarea_signed = preg_replace(
475			'%name=([\'"])'.preg_quote($prefix.$textarea[2]).'\1%',
476			"name=$1".self::fc_hash_value($code, $textarea[2], $textarea[3], 'name', false)."$1",
477			$textarea[0]
478			);
479			$form = str_replace($textarea[0], $textarea_signed, $form);
480			self::$log[] = '<strong>TEXTAREA:</strong> Code: <strong>'.htmlspecialchars($prefix.$code).
481			'</strong> :: Name: <strong>'.htmlspecialchars($prefix.$textarea[2]).
482			'</strong> :: Value: <strong>'.htmlspecialchars($textarea[3]).
483			'</strong><br />Initial textarea: '.htmlspecialchars($textarea[0]).
484			'<br />Signed: <span style="color:#060;">'.htmlspecialchars($textarea_signed).'</span>';
485			}
486			self::$log[] = '<strong>FORM after TEXTAREAS:</strong> <pre>'.htmlspecialchars($form).'</pre>';
487
488			// Exclude all <button> elements
489			$form = preg_replace(
490			'%<button ([^>])name=([\'"])(.?)\1([^>]>.?</button>)%i',
491			"<button $1name=$2x:$3$4",
492			$form
493			);
494			}
495			// Replace the entire form
496			self::$log[] = '<strong>FORM after ALL:</strong> <pre>'.htmlspecialchars($form).'</pre>'.'replacing <pre>'.
497			htmlspecialchars($form_original).'</pre>';
498			$html = str_replace($form_original, $form, $html);
499			self::$log[] = '<strong>FORM end</strong><hr />';
500			}
501
502			// Return the signed output
503			$output = '';
504			if (self::$debug) {
505			self::$log['Summary'] = $count['links'].' links signed. '.$count['forms'].' forms signed. '.
506			$count['inputs'].' inputs signed. '.$count['lists'].' lists signed. '.$count['textareas'].
507			' textareas signed.';
508			$output .= '<div style="background:#fff;"><h3>FoxyCart HMAC Debugging:</h3><ul>';
509			foreach (self::$log as $name => $value) {
510			$output .= '<li><strong>'.$name.':</strong> '.$value.'</li>'."\n";
511			}
512			$output .= '</ul><hr />';
513			}
514			return $output.$html;
515			}
516			}
517

dynamic / silverstripe-foxy

Pull Request — master (#20)

FoxyCart_Helper::fc_hash_value() B

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like